Re: [Openvpn-users] --user specified but lacking CAP_SETPCAP

Fri, 27 Oct 2023 06:29:05 -0700 

Hi,

On Fri, Oct 27, 2023 at 10:33:03AM +0200, David Sommerseth wrote:
> Unit files not provided by the OpenVPN
> project may indeed be as bad as a home grown sys-v init script which doesn't
> do all the needed things OpenVPN or the system itself expects.

A home-grown sys-v init script is quite unlikely to mess with OpenVPN's
operation as badly as all these nice Systemd features are, like "take
away capabilities" or "protect /tmp" ;-)

[..]
> In the end ... securing, hardening and ensuring a system runs stable, that
> does have some user experience costs - just like it's been a huge change in
> the Windows world too, going from the Win95 "you're all admins by default"
> to all the limitations you'll face out-of-the-box in Win11.

Windows is *much* less annoying today than all the ways Systemd gets into your
way on today's Linux distributions.

But that might be a bit of Stockholm Syndrome.

[..]
> OpenVPN 2 out-of-the-box without systemd (or any other execution strategy
> restricting capabilities in advance) will have lots of possibilities on the
> host.  Systemd in OpenVPN 2.x context just ensures the process is started
> with as few privileges as possible to start running.  Which can reduce the
> possibilities of a misbehaving/misconfigured OpenVPN to actually do
> unexpected harm to the system.

OpenVPN 2 has all the capabilities it needs to do so (--user nobody,
plus the required capability management to work with DCO).  All systemd
adds here is "make troubleshooting more complicated".

> Systemd doesn't "mess with OpenVPN". 

If it takes away capabilities OpenVPN needs, how would you call it, then?

"Sabotage"?

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             g...@greenie.muc.de

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users






















					Reply via email to